Boise State University Information Technology Incident Response Procedure
Updated January 2016
Incident Response Procedure
1. If you suspect a security breach, as defined in the Information Privacy and Data Security Policy, has occurred, you should immediately:
- Isolate the compromised system by unplugging its network connection cable.
- Do not shut down, reboot, access or otherwise alter the machine.
- Contact Help Desk at 426-4357 to report the incident.
2. Upon notification of a potential security breach, the Network Security Lead Investigator at the direction of the Chief Information Security Officer (“CISO”) will:
- Create an incident log to document all reported facts and actions taken
- Work with the individual reporting the breach to identify the systems and type of information affected
- Ensure that the compromised system is properly isolated from the network and that electronic evidence is preserved on a platform suitable for analysis by a court of law.
- If using a wireless network, change the Service Set Identifier (“SSID”) on the access point and other machines that may be using this connection (with the exception of any systems believed to be compromised).
3. If additional investigation or actions are warranted, the CISO will implement the Cybersecurity Incident Response Plan (CIRT) to determine the appropriate course of action.
Questions about this procedure should be directed to the Chief Information Security Officer:
Phone: (208) 426-5701
Created: January 2015
Last Update: July 2022
Next Review: February 2023